CVE-2024-11083 – The ProfilePress WordPress plugin exposes sensi... (How to Fix)

Q: What is the severity of CVE-2024-11083?

CVE-2024-11083 has a CVSS score of 5.3 (MEDIUM). The ProfilePress WordPress plugin exposes sensitive information through WordPress core search functionality. Unauthenticated attackers can access restricted content intended for administrators and other privileged roles. All WordPress sites using ProfilePress versions up to 4.15.18 are affected.

📋 TL;DR

The ProfilePress WordPress plugin exposes sensitive information through WordPress core search functionality. Unauthenticated attackers can access restricted content intended for administrators and other privileged roles. All WordPress sites using ProfilePress versions up to 4.15.18 are affected.

💻 Affected Systems

Products:

ProfilePress WordPress Plugin

Versions: All versions up to and including 4.15.18

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress core search functionality to be enabled and ProfilePress plugin to be active.

📦 What is this software?

Profilepress by Properfraction

View all CVEs affecting Profilepress →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers extract sensitive administrative posts, private user data, or confidential business information that was intended to be restricted.

🟠

Likely Case

Unauthenticated users access posts with sensitive operational details, user information, or draft content that should be role-restricted.

🟢

If Mitigated

With proper access controls and monitoring, exposure is limited to non-critical information with detection of unauthorized access attempts.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only standard WordPress search functionality without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.15.19

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3197296/wp-user-avatar

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find ProfilePress and click 'Update Now'. 4. Verify version is 4.15.19 or higher.

🔧 Temporary Workarounds

Disable WordPress Search

all

Temporarily disable WordPress core search functionality to prevent exploitation.

Add 'add_filter('pre_get_posts', function($query) { if ($query->is_search) { $query->set('post__in', array(0)); } return $query; });' to theme functions.php

Deactivate ProfilePress Plugin

linux

Temporarily disable the vulnerable plugin until patched.

wp plugin deactivate wp-user-avatar

🧯 If You Can't Patch

Implement web application firewall rules to block suspicious search patterns
Enable detailed logging of all search queries and monitor for unusual patterns

🔍 How to Verify

Check if Vulnerable:

Check ProfilePress plugin version in WordPress admin panel under Plugins → Installed Plugins.

Check Version:

wp plugin get wp-user-avatar --field=version

Verify Fix Applied:

Confirm ProfilePress version is 4.15.19 or higher and test search functionality with restricted posts.

📡 Detection & Monitoring

Log Indicators:

Unusual search query patterns, especially targeting restricted content slugs or IDs
Multiple search requests from single IP addresses in short timeframes

Network Indicators:

HTTP GET requests to /?s= parameter with suspicious search terms
Repeated search requests with incremental parameters

SIEM Query:

source="wordpress.log" AND ("?s=" OR "search=") AND status=200 | stats count by src_ip

📊 Metadata

CVE ID: CVE-2024-11083

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-200

Published: November 27, 2024

Last Updated: June 5, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-11083, you might also want to check these: